Tag: macvlan

Setup dnsmasq for DNS, DHCP and TFTP

Posted on by Bian Xi Leave a Comment on Setup dnsmasq for DNS, DHCP and TFTP

Setup dnsmasq for DNS, DHCP and TFTP

To setup DNS, DHCP and TFTP server using dnsmasq, need to consider them separately.

Environment

To ease of setup and backup, consider use docker container to run dnsmasq.

Configure macvlan

As DHCP server requires special network communication, macvlan can be used for this purpose.

Create macvlan on interface bond0 with IP address 192.168.1.250

docker network create -d macvlan -o parent=eth0 --subnet=192.168.1.0/24 --gateway=192.168.1.254 --ip-range=192.168.1.250/32 my_macvlan_250

Configure bridge macvlan

By default, the host machine who configured macvlan communicates with macvlan container, in such case, the DNS server running in dnsmasq will not be accessable by host machine.

In order to allow host machine also use DNS service running in macvlan, following configuration needs to be done, which creates another macvlan in host as bridge mode with IP address 192.168.1.249, and use it to access macvlan in docker with IP address 192.168.1.250.

Add following lines in /etc/network/interfaces

up ip link add my_macvlan_249 link eth0 type macvlan mode bridge
up ip addr add 192.168.1.249/32 dev my_macvlan_249
up ip link set my_macvlan_249 up
up ip route add 192.168.1.250/32 dev my_macvlan_249

Untested setup

Other setup likes using normal bridge network interface on physical network interface, I have tried it, so maybe it is also working.

Start container

Start container and map container /data folder to /app/dnsmasq/data, which can be used to save configuration files

docker run --name dnsmasq -d -it --restart unless-stopped -v /app/dnsmasq/data:/data --network my_macvlan_250 dnsmasq

Above command will run following command in container

dnsmasq -q -d --conf-file=/data/dnsmasq.conf --dhcp-broadcast

Troubleshooting dnsmasq

In order to debug dnsmasq, following command can be used.

docker logs -f dnsmasq

Due to so many requests on DNS from everywhere, if only want to debug DHCP service, following command can be used, and it filter out lines start with dnsmasq: .

docker logs -f dnsmasq --since 1m | grep -v -e "^dnsmasq: "

The DHCP log messages start with dnsmasq-dhcp: .

docker logs -f dnsmasq --since 1m | grep -e "^dnsmasq-dhcp: "

Note: As suggested in configuration, comment log-queries should disable logs for DNS too, but looks like useless.

#log-queries
log-dhcp

Configure TFTP boot

Configure TFTP server

Enable TFTP server

enable-tftp
tftp-root=/data/tftp

Configure DHCP boot

Sample configuration to select boot file according to option client-arch

dhcp-match=set:efi-x86_64,option:client-arch,7
dhcp-match=set:efi-x86_64,option:client-arch,9
dhcp-match=set:efi-x86,option:client-arch,6
dhcp-match=set:bios,option:client-arch,0
dhcp-boot=tag:efi-x86_64,efi64/syslinux.efi
dhcp-boot=tag:efi-x86,efi32/syslinux.efi
dhcp-boot=tag:bios,bios/lpxelinux.0

Actual configuration

dhcp-match=set:efi-x86_64,option:client-arch,7
dhcp-boot=tag:efi-x86_64,ipxe.efi
#dhcp-boot=tag:efi-x86_64,grubx64.efi

Set tag for iPXEBOOT, and configure ipxe options

# set tag to IPXEBOOT when has option 175
dhcp-match=IPXEBOOT,175
#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.

dhcp-boot=tag:!IPXEBOOT,undionly.kpxe,dnsmasq,192.168.1.250
dhcp-boot=tag:IPXEBOOT,boot.ipxe,dnsmasq,192.168.1.250

# Configure iSCSI for ipxe boot
#dhcp-option=175,8:1:1
#dhcp-option=tag:IPXEBOOT,17,"iscsi:192.168.1.17::::iqn.2012-12.net.bx:ds1812.pxe-ubuntu"
#dhcp-option-force=vendor:175, 190, user
#dhcp-option-force=vendor:175, 191, password

Configure DHCP

DHCP global configuration, and set host using files in /data/hosts folder, and dhcp-host using files in /data/ethers folder.

no-hosts
hostsdir=/data/hosts
#addn-hosts=/data/banner_add_hosts
dhcp-hostsdir=/data/ethers
dhcp-leasefile=/data/dnsmasq.leases
expand-hosts
dhcp-option=44,192.168.1.250 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=option:domain-search,bx.net,bianxi.com

DHCP Domain and rang

Following lines set up for dhcp hosts which are tagged as home

domain=bx.net,192.168.1.0/24
dhcp-range=tag:home,192.168.1.96,192.168.1.127,255.255.255.0,12h
dhcp-option=tag:home,option:router,192.168.1.254

DHCP mapping

To map MAC address to IP, tag, etc., use dhcp-host. Sample of mapping are shown below

dhcp-host=00:1b:77:07:08:af,set:home
dhcp-host=00:26:4a:18:82:c6,192.168.1.9,set:home
dhcp-host=win10,192.168.1.235,set:home

Note: contents in dhcp-host file, such as /etc/ethers should not have prefix of dhcp-host= as in main configuration file dnsmasq.conf does.

00:1b:77:07:08:af,set:home
00:26:4a:18:82:c6,192.168.1.9,set:guest
win10,192.168.1.235,set:home

DHCP reject unknown hosts

Using following configuration line to ignore all unknown hosts, so all hosts much registered using dhcp-host option.

dhcp-ignore=tag:!known

Guest domain

Another way to deal with unknown hosts is to setup guest network.

Following lines define a DHCP services for hosts without tag home

dhcp-range=tag:!home,192.168.1.128,192.168.1.143,255.255.255.0,4h
dhcp-option=tag:!home,option:router,192.168.1.254
dhcp-option=tag:!home,option:domain-name,guest.net
#dhcp-option=tag:!home,option:domain-search,guest.net

Another way is to define guest network range as below for those hosts with tag guest.

#domain=guest.net,192.168.1.0/24
#dhcp-range=tag:guest,192.168.1.128,192.168.1.143,255.255.255.0,4h
#dhcp-option=tag:guest,option:router,192.168.1.254

#dhcp-host=00:a0:98:5f:9e:81,set:guest

DHCP mapping consideration

The logic of DHCP tags is described below

  • Host request DHCP, then it has one tag, which is interface name, such as eth0

  • If it is mapped with one dhcp-host line, they will be tagged as known

  • Tags can be given by various ways

    • Set in dhcp-host line. For example, set guest in following line
    dhcp-host=00:a0:98:5f:9e:81,set:guest
    • Set by IP range
    dhcp-range=set:red,192.168.0.50,192.168.0.150
    • Set by host matching
    dhcp-vendorclass=set:red,Linux
dhcp-userclass=set:red,accounts
dhcp-mac=set:red,00:60:8C:*:*:*

  • Tags can be used by various ways

    • Used in IP range
    dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h

  • Tags can be used in not condition

    dhcp-option=tag:!home,option:router,192.168.1.254

DHCP options

DHCP options and their numbers, can be found in DHCP log, such as below.

dnsmasq-dhcp: 2177430021 available DHCP range: 192.168.1.96 -- 192.168.1.127
dnsmasq-dhcp: 2177430021 available DHCP range: 192.168.1.128 -- 192.168.1.143
dnsmasq-dhcp: 2177430021 vendor class: MSFT 5.0
dnsmasq-dhcp: 2177430021 client provides name: baidu-windows
dnsmasq-dhcp: 2177430021 DHCPREQUEST(eth0) 192.168.1.113 00:a0:98:1d:b0:fc 
dnsmasq-dhcp: 2177430021 tags: home, known, eth0
dnsmasq-dhcp: 2177430021 DHCPACK(eth0) 192.168.1.113 00:a0:98:1d:b0:fc baidu-windows
dnsmasq-dhcp: 2177430021 requested options: 1:netmask, 3:router, 6:dns-server, 15:domain-name, 
dnsmasq-dhcp: 2177430021 requested options: 31:router-discovery, 33:static-route, 43:vendor-encap, 
dnsmasq-dhcp: 2177430021 requested options: 44:netbios-ns, 46:netbios-nodetype, 47:netbios-scope, 
dnsmasq-dhcp: 2177430021 requested options: 119:domain-search, 121:classless-static-route, 
dnsmasq-dhcp: 2177430021 requested options: 249, 252
dnsmasq-dhcp: 2177430021 bootfile name: undionly.kpxe
dnsmasq-dhcp: 2177430021 server name: dnsmasq
dnsmasq-dhcp: 2177430021 next server: 192.168.1.250
dnsmasq-dhcp: 2177430021 broadcast response
dnsmasq-dhcp: 2177430021 sent size:  1 option: 53 message-type  5
dnsmasq-dhcp: 2177430021 sent size:  4 option: 54 server-identifier  192.168.1.250
dnsmasq-dhcp: 2177430021 sent size:  4 option: 51 lease-time  12h
dnsmasq-dhcp: 2177430021 sent size:  4 option: 58 T1  6h
dnsmasq-dhcp: 2177430021 sent size:  4 option: 59 T2  10h30m
dnsmasq-dhcp: 2177430021 sent size:  4 option:  1 netmask  255.255.255.0
dnsmasq-dhcp: 2177430021 sent size:  4 option: 28 broadcast  192.168.1.255
dnsmasq-dhcp: 2177430021 sent size:  6 option: 15 domain-name  bx.net
dnsmasq-dhcp: 2177430021 sent size: 23 option: 81 FQDN  03:ff:ff:62:61:69:64:75:2d:77:69:6e:64:6f...
dnsmasq-dhcp: 2177430021 sent size:  4 option:  6 dns-server  192.168.1.250
dnsmasq-dhcp: 2177430021 sent size:  4 option:  3 router  192.168.1.254
dnsmasq-dhcp: 2177430021 sent size:  4 option: 44 netbios-ns  192.168.1.250

Configure DNS

Set up link DNS server

# DNS Server
server=165.21.83.88
#server=165.21.100.88
server=8.8.8.8

DNS mapping

DNS entries are defined as the format of /etc/host file

192.168.1.1     host1 host-alias

Sample configuration steps

Add a static IP entry for a known mac address

In ethers file, add following entry for DHCP

44:55:66:77:88:99,192.168.1.222,set:home

In banner_add_hosts file add following entry for DNS

192.168.1.222    cat

Bridge Interface vs Macvtap Interface in TrueNAS

Posted on by Bian Xi Leave a Comment on Bridge Interface vs Macvtap Interface in TrueNAS

Bridge Interface vs Macvtap Interface in TrueNAS

More clear information can be found in references.

Description

Note: This is based on my understanding, might be incorrect.

Bridge and macvtap both create a network interface on physical network, which is used by VMs.

One VM uses one dedicated Macvtap interface on host with same MAC address. Macvtap is a network interface on macvlan.

VMs on bridge share same bridge interface which has different MAC address in the host.

Bridge Mode

Virtual interfaces in VMs => Bridge interface => Physical Interface in Host

Macvlan

Macvtap interfaces => Physical Interface in Host

Pros

Macvtap

  • Macvtap interfaces in host, can tap on different physical interface, changing to different physical interface is done in host.
  • Passthru, VM uses same interface as host created
  • If the VM is MAC address sensitive, then should use macvtap

Bridge

  • VM and host can communicate to each other
  • VM can use host services
  • Bridge can be created without physical interface

Cons

Macvtap

  • VM can not communicated with host

Bridge

  • VMs' virtual interfaces use same bridge interface in host

Sample

Macvtap

truenas# ifconfig -a
bond0: flags=5187<UP,BROADCAST,RUNNING,MASTER,MULTICAST>  mtu 1500
        inet 192.168.1.19  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 06:b1:f7:6d:13:4c  txqueuelen 1000  (Ethernet)
        RX packets 1680348527  bytes 2208822464277 (2.0 TiB)
        RX errors 0  dropped 151  overruns 0  frame 0
        TX packets 1617739524  bytes 1698187389538 (1.5 TiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp17s0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 54:04:a6:4b:81:c8  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 5107071  bytes 2866624273 (2.6 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5107071  bytes 2866624273 (2.6 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

macvtap11: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::2a0:98ff:fe78:393  prefixlen 64  scopeid 0x20<link>
        ether 00:a0:98:78:03:93  txqueuelen 500  (Ethernet)
        RX packets 22627262  bytes 78234456341 (72.8 GiB)
        RX errors 2324  dropped 2324  overruns 0  frame 0
        TX packets 14142613  bytes 71245696317 (66.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

macvtap12: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::2a0:98ff:fe1f:d5c7  prefixlen 64  scopeid 0x20<link>
        ether 00:a0:98:1f:d5:c7  txqueuelen 500  (Ethernet)
        RX packets 480  bytes 943563 (921.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 301  bytes 36435 (35.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth7ae8af79: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::80de:6cff:fe6c:3ac2  prefixlen 64  scopeid 0x20<link>
        ether b2:16:c9:7a:5d:51  txqueuelen 0  (Ethernet)
        RX packets 1049172  bytes 819582891 (781.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1006473  bytes 532661621 (507.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethe3db1df9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::1001:84ff:feaf:f3c3  prefixlen 64  scopeid 0x20<link>
        ether 5e:93:0b:01:a8:b0  txqueuelen 0  (Ethernet)
        RX packets 818421  bytes 79271857 (75.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 858581  bytes 75468204 (71.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp15s0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 00:08:ca:28:b8:d1  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Bridge

truenas# ifconfig -a
bond0: flags=5187<UP,BROADCAST,RUNNING,MASTER,MULTICAST>  mtu 1500
        ether 06:b1:f7:6d:13:4c  txqueuelen 1000  (Ethernet)
        RX packets 2273930881  bytes 3403517718704 (3.0 TiB)
        RX errors 0  dropped 4615  overruns 0  frame 0
        TX packets 417927732  bytes 27440289291 (25.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.19  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 06:62:23:59:d5:35  txqueuelen 1000  (Ethernet)
        RX packets 628064711  bytes 1811199459942 (1.6 TiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 331791210  bytes 1156251281548 (1.0 TiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp17s0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 54:04:a6:4b:81:c8  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2676343  bytes 1435559819 (1.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2676343  bytes 1435559819 (1.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth8dfea17d: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::780d:4cff:fe3c:a108  prefixlen 64  scopeid 0x20<link>
        ether ae:fa:aa:94:e6:3f  txqueuelen 0  (Ethernet)
        RX packets 432268  bytes 41857026 (39.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 437864  bytes 38739338 (36.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethc44c60e0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::dc33:23ff:fef3:7f06  prefixlen 64  scopeid 0x20<link>
        ether 8a:af:5b:12:51:36  txqueuelen 0  (Ethernet)
        RX packets 549957  bytes 433379151 (413.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 480138  bytes 272756471 (260.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fca0:98ff:fe78:393  prefixlen 64  scopeid 0x20<link>
        ether fe:a0:98:78:03:93  txqueuelen 1000  (Ethernet)
        RX packets 79558657  bytes 253665109225 (236.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 221506436  bytes 2888491048856 (2.6 TiB)
        TX errors 0  dropped 1220 overruns 0  carrier 0  collisions 0

wlp15s0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 00:08:ca:28:b8:d1  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

References

Bridge vs Macvlan
Enabling host-guest networking with KVM, Macvlan and Macvtap